As noted in this Washington Post article, Investigations have now determined the system that stored the information disclosed by Wikileaks had quite a few failures of process and procedure that lead to the “leaking” of the 250,000 documents.

From a pure information security standpoint, the Information Classification Policies, the Access Control (monitoring), and the Data Handling procedures all contributed to the loss of the diplomatic cables.

Information Classification – Everyone has an idea of information classification from watching movies and seeing file folders with the words “TOP SECRET” stamped in RED on the outside. Well we don’t use the plain manila folders as much anymore and rely on computers to store and disseminate information. To do so, information has to be properly classified and flagged so it exists in the right systems and is available to the right audience. In the case of this particular Defense Department system it appears that those responsible for flagging the data have done so incorrectly on many, many occasions. The article already states that this was done in error as embassy employees were putting information into the system without knowing what the codes meant. So at the root of the issue here is that users had access to the system and information without complete understanding/training.

Access Control (monitoring) – I added monitoring to this because it’s not a pure access control issue. The State Department has made it practice to place monitoring tools on their systems so they can “know” where information goes as well as help prevent it from being used in an inappropriate manner. DLP (Data Loss Prevention) products are commonly used for this type of activity. Unfortunately the Defense Department much not be as on the ball as the State Department in making sure they are monitoring the use of their data. However it doesn’t absolve the State Department either as they should be also aware of where their information exists (as difficult as that really is) and help control it.

Data Handling – you add the last two issues up and you’ve now provided the opportunity for someone do mishandle data. Wether that means you accidentally print or move a file or you copy 250,000 files to a CD and give them to someone without proper security clearance (I believe we call that espionage). Regardless the system users are also trained on what they should do (called handling) with data. Certain things you don’t print, you can’t email documents or information, you don’t put them on removable media. This is part in parcel to having a security clearance. Granted the next step in access the information is the matter of “need to know” and our initial issue with the misclassification of the documents provided access to many people without the need to know.

So prior to 9-11 we had systems that were too closed and information sharing was blamed as a root cause for not being able to detect the planning of the attacks. Now 10 years later the pendulum has swung the other direction and we are sharing to the point of being careless with information. From the surface it appears that some better training and enforcement of current policies and procedures would help bring that pendulum back to the center while also keeping the appropriate people informed to keep us all safe.

My research on information classification policies kept turning up the statement that “the integrity of public information is not vital” for public and unclassified information. I even stated the same in my earlier article on Information Classification. I had taken for granted that this statement is correct. That is, until I was called out by a co-worker.

“You can’t be serious, right?” was how I was approached.

“The integrity is not vital?”

She began to explain her viewpoint on it and my first thought was “…at least someone read my article…”. Then I started to wonder, why did I take that for granted?

On its face, you could make the argument that, maybe they mean that you can’t control the information once it’s in the public so you can’t possibly be capable of maintaining its integrity. Or could they really mean that you are concerned about the integrity of the source of the information and that as long as the source integrity is maintained, then your information is good?

Yeah, that justifies the statement. Now we can all sleep peacefully.

But then you read further and statements are made to further qualify the position by providing examples of what types of information are included in this classification:

Product brochures widely distributed

Information widely available in the public domain, including publicly available Company web site areas

Sample downloads of Company software that is for sale

Financial reports required by regulatory authorities

Newsletters for external transmission

So if I put those pieces of information together, I can make statements like: We are not concerned about the integrity of the information found in our product brochures. Hmm… don’t think that flies.

Okay, let me try again. We are not concerned about the integrity of the software downloads that our customers (or potential customers) could download from our site. Okay we’re 0 for 2. Remind me never to buy software from anyone who actually thinks this…

Last try. We are not concerned about the integrity of the financial reports required by regulatory authorities. Um, hello, Enron? I think we found your information classification policy.

So which is it? Are the commonly accepted frameworks incorrect? Or are they being widely misinterpreted?

Let’s address the frameworks first:

ISO guidance states that”All information should be classified into categories. This classification should be based on value, sensitivity, legal requirements, and criticality to the organization. The classification policy should include guidelines for the initial classification and the reclassification of the data. The classification schemes should not be overly complex.” Okay, nothing wrong there.

The FFIEC Handbook states “A data classification program should be established to identify and rank data, systems, and applications in their order of importance.” I’m good with that too.

NIST says “The organization must assign assurance categories for all information types that can be associated with both user information and system information, and can be applicable to information in either electronic or non-electronic form. The organization must also assign appropriate assurance categories for each system and information type (low, moderate, or high for confidentiality, integrity, and availability) based upon the potential impact for the loss of each of the just mentioned assurance objectives.”

Well then. I don’t see anything listed in the frameworks that makes any statement on integrity, other than you need to make a determination of integrity for each item/classification.

So what does that leave us with? The mass redistribution of an incorrect statement across the Internet. I would inset a poll to see how many people are surprised by that, but it seems a bit unnecessary.

Somewhere along the way, a policy or guideline was written and publically posted. It was either one of the first references to the subject or had very good search engine results. Because of that, it managed to make its way into many more articles and policies posted online. So much so that the abundance of that information made it assumed to be correct.